How to parse a string with special format into obj...

jvdev · ‎04-14-2022

Hi there,

I have trying to use spath to try to extract fields inside a string. Currently, the string has this format..

stringField=["fieldOne": "fieldValue", "fieldTwo": "fieldValue", "fieldThree": "fieldValue"]

So, my string inside has some kinda of array with key value pairs. I would to be able to extract those fields and values in a way that I can use their information for my queries.

I would like to be able to get the value of fieldOne by just calling the fieldOne variable/object to get it's value to perform my desire task/stats and so on..

I was trying something like... but no luck!

search... | spath input=stringField

search... | eval newVariable=spath(_raw,'stringField')

search... | spath

search... | spath path=stringField output=newField

The first option of just using input with the spath command only gave me back the first field inside my string. And it was listed as {} field.

I would really appreciate the help!

ITWhisperer · ‎04-15-2022

| eval stringField="{".trim(stringField,"[]")."}"
| spath input=stringField

How to parse a string with special format into objects or variables?

field extraction

fields

subsearch

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Join the Conversation